Solved

Sonicwall DMZ Question

Posted on 2010-11-19
42
2,724 Views
Last Modified: 2012-05-10
I have a SonicWall NSA 240 with a Primary and Secondary internet connection, set for failover and load balancing.

I have 3 machines that only have external IPs and I need to add them to the DMZ for the secondary internet connection.  

I want to use X3-X5 as the ports for this, but can't seem to find out how to get it to work.  I've looked through the Admin Guide, so please don't post that, I can't find the answer in it.
0
Comment
Question by:ben9035
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 23
  • 19
42 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34178131
so, you need help setting up a secondary gateway?

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7781

regarding wan failover:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7828

regarding the DMZ, are you wanting to give these three computers a public IP each?
0
 

Author Comment

by:ben9035
ID: 34178135
They already have public IP addresses.  I've setup the secondary gateway already, and already created WAN failover.  I'm unable to get the external IPs working on interfaces X3-X5 because it keeps saying it's on the same subnet as X2 (secondary gateway).  SonicWall told me this was possible before I bought the product, but, big shocker, the 24x7 support I pay for isn't being answered by a technician right now.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178152
maybe they considered that you'd have those three ports in transparent mode.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979

when you configure a port in transparent mode, the IP addresses MUST be in the same subnet as the WAN interface.

i've never configured the sonicwall in this method before, but it seems plausible.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:ben9035
ID: 34178173
I added a new address object, gave it a range of .xx1-.xx5 (open ips of subnet), tried to add the interface X3 in transparent mode to the DMZ zone, and I get the error:

Error: Transparent Range not in WAN subnet
0
 

Author Comment

by:ben9035
ID: 34178182
Do the external addresses *have* to be a member of the primary WAN subnet, or can they be on the secondary?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178200
since you want to include three, i'd create an address object for each rather than a range.

i don't believe so.
0
 

Author Comment

by:ben9035
ID: 34178210
don't believe they can be on the secondary?

I'll create addy obj for each and try....
0
 

Author Comment

by:ben9035
ID: 34178234
Adding address objects for all 3 IPs and going that route didn't do anything.  I'm still getting the error.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178235
i've been doing some reading and i'm seeing where you cannot use transparent mode where you've configured WAN load balancing or failover.  i'll keep looking.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178244
i think that error is starting to make more sense.  if you've configured a port in transparent mode and have configured wan failover/load balance, the sonicwall must look at the primary gateway IP addresses when configuring the transparent mode settings.

you could possibly tell by disabling wan failover as a test, then try configuring transparent mode on the ports.
0
 

Author Comment

by:ben9035
ID: 34178254
I've disabled the load balancing, but I don't see a selection for failover.  Is that automatic with two WAN connections?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178265
where are you configuring it?  under network > WAN Failover & LB?
0
 

Author Comment

by:ben9035
ID: 34178270
Yes
0
 

Author Comment

by:ben9035
ID: 34178314
Ok.  I switched primary and secondary gateways, and I got it to add.  I setup a static route for any service from lan subnets to use the secondary gateway (what WAS primary, much heftier connection), so that's good.  However, I can't ping from the machine that I got to use transparent mode.  Ideas?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178328
so, the clients on the LAN are able to ping to the internet, say, 4.2.2.2?

when you setup the transparent interface, did you use a range or a single IP?  do you have the subnet mask and gateway correct as well as DNS?
0
 

Author Comment

by:ben9035
ID: 34178334
Yes, I'm on the connection now.

I used a single IP.  When I created the address object, I chose "DMZ" rather than "WAN", I didn't assign it a gateway or DNS as a result.  Should I have done WAN?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178341
in which IP subnet do you want the transparent (DMZ) hosts?  the WAN or secondary WAN?
0
 

Author Comment

by:ben9035
ID: 34178346
WAN...now.  

Wait...should there be a static route to take the traffic coming from X3 and pushing it out, say, X1 Gateway, X1 interface?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178368
so, you configured an address object and gave it a public IP address within the subnet from WAN interface (but NOT the IP of the WAN interface), right?

then, you used that address object when you configured the transparent mode of the interface you used, right?

then, you configured the public IP assigned the address object to the workstation along with the subnet mask and gateway used for the WAN interface, right?

what DNS server have you used for the computer on the transparent port?
0
 

Author Comment

by:ben9035
ID: 34178372
Yes

Yes

Yes

the ones for the WAN
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178378
so, even after that, you can't ping anything on the internet?  say, 4.2.2.2 (public DNS)?
0
 

Author Comment

by:ben9035
ID: 34178382
Nope.  I'm confused now.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178389
also, double check your firewall access rules.  what zone did you assign the transparent mode to?  make sure the access rules are allowing traffic.  if DMZ, then DMZ > WAN and WAN > DMZ.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178395
the steps say that you can also use either the ISP gateway (the one configured on your WAN interface) or the IP address assigned the WAN interface.

try changing this on your computer and let's see what happens.
0
 

Author Comment

by:ben9035
ID: 34178401
firewall rules are good to go.

you're talking about for the gateway on the pc right?
0
 

Author Comment

by:ben9035
ID: 34178405
Nothing.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178407
yes.

hmmm.  wished i could get a look at the config.
0
 

Author Comment

by:ben9035
ID: 34178415
It's really weird.  If I unplug the WAN interface, plug it into a switch, and plug the cable from the PC into the switch, everything works fine.

Kind of smells like a routing problem doesn't it?
0
 

Author Comment

by:ben9035
ID: 34178419
Also, in the interface table, next to X3, it has the WAN ip listed, NOT the ip that I put into the address object.  Is that normal?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178426
yes, it does seem a route is not correct.  either that or a misconfiguration.  double check the address object assigned to the x3 interface.  did you configure it as a host?
0
 

Author Comment

by:ben9035
ID: 34178439
Name: DMZ1

Zone Assignment: DMZ

Type: HOST

IP: in the same subnet as WAN
0
 

Author Comment

by:ben9035
ID: 34178446
X3 IP            Any           Any             X1 Default Gateway               X1         1           9    
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178453
make the address object part of the WAN zone.
0
 

Author Comment

by:ben9035
ID: 34178458
Tried, nada.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178471
i'm stumped.  it seems you followed the KB exactly.  i'm not sure what's left without seeing it.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979
0
 

Author Comment

by:ben9035
ID: 34178475
Understandable.  Thanks a lot for all your help anyway.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178480
sure.  obviously, i'll keep monitoring it.  when sonicwall's 24x7 support responds and IF they fix it, let me know what they figure out.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34178482
also, if i think of something else, i'll post.
0
 

Author Comment

by:ben9035
ID: 34178491
I'll definitely do that.  
0
 

Accepted Solution

by:
ben9035 earned 0 total points
ID: 34190549
The problem came down to the machine not being registered in the ARP cache.  I manually set an entry for it, went to dinner, then came back, checked the entry, tried to ping, no luck.  Called SonicWall support back, finally got someone, they logged in, removed the manual ARP entry, and everything started working fine.  Other than that, as you indicated, the configuration was definitely correct.  

I had a similar problem this morning with the Video Conferencing system that was also to be placed in the DMZ, I did the same things, added the proper routing entry, and everything worked on it as well.

Thanks again for all your help.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34190634
thanks for posting the full solution and glad you got it working!
0
 

Author Closing Comment

by:ben9035
ID: 34221266
Full description of problem and solution are within answer.  Digitap tried to help me resolve, but we never came to a conclusion.
0

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Ping configured interface on Sonicwall 16 69
Use of vpn-filter value  in S2S VPN 2 57
Linksys e2500 wireless router - should I upgrade 6 63
VPN Server config in Modem 5 68
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question